Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Junos CLI Reference CLI Reference T

Junos CLI Reference

keyboard_arrow_up
close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

test aaa ppp user

date_range 09-Dec-23
arrow_backward
arrow_forward

Syntax

content_copy zoom_out_map
test aaa ppp user username
<agent-remote-id ari>
<logical-system logical-system-name>
<no-address-request>
<password password>
<profile access-profile-name>
<routing-instance routing-instance-name>
<service-type service-type>
<terminate-code code-value>

Description

Verify Point-to-Point Protocol (PPP) subscriber access authentication, accounting, and address allocation configuration by creating a test pseudo session.

Note:

The test aaa command supports all RADIUS-sourced attributes, both IETF standard attributes and Juniper Networks VSAs. Received attributes are displayed in the output. For information about standard RADIUS attributes, see Standard and Vendor-Specific RADIUS Attributes. For information about Juniper Networks VSAs, see Standard and Vendor-Specific RADIUS Attributes.

Note:

Starting in Junos OS Release 19.3R1, the XML output format has changed. Each RADIUS server attribute name has an associated attribute value. Each of these pairs is now enclosed by the <radius-server-data> tag. The new tag makes it easier to recognize the name/value pairs, both for operators and API clients. You may have to change any scripts that use the XML output to work properly with the new format.

Options

username

Subscriber username to test.

agent-remote-id ari

(Optional) Value of the DSL Forum Agent-Remote-Id (VSA 26–2).

logical-system logical-system-name

(Optional) Logical system in which the subscriber is authenticated. This is the logical system in the AAA LS:RI context for the subscriber. This context differs from the subscriber context, which is the LS:RI in which the subscriber is placed, by either the Virtual-Router VSA (26-1) or the Redirect-VRouter-Name VSA (26–25).

no-address-request

(Optional) Request is sent for authentication without address allocation. Use for Layer 2-only scenarios where no address allocation request is needed.

Note:

The test aaa ppp user command tries to allocate an IPv4 address even when the subscriber is supposed to get only an IPv6 address. If that behavior is undesirable, include the no-address-request option when you issue the command.

password password

(Optional) Password associated with the username.

profile access-profile-name

(Optional) Access profile associated with the subscriber.

Note:

The system logically treats this profile as a client-level configuration. An access profile configured in a domain map takes precedence over client-level configurations. If you have configured one or more domain maps, the username for the user under test is evaluated against the domain maps the same as any other subscriber.

For example, the username can exactly match a domain map or partially match a wildcard domain map. If it matches neither of those, then it matches the default domain map if it is configured. If the username has no domain or realm ,then it matches the none domain map, if it is configured.

The consequence is that if the test user matches any configured domain map, then an access profile configured in that map is used for the test in preference to an access profile that you specify with the test command.

See Specifying an Access Profile in a Domain Map for more information about domain maps and access profiles.

routing-instance routing-instance-name

(Optional) Routing instance in which the subscriber is authenticated. This is the routing instance in the AAA LS:RI context for the subscriber. This context differs from the subscriber context, which is the LS:RI in which the subscriber is placed, by either the Virtual-Router VSA (26-1) or the Redirect-VRouter-Name VSA (26–25). In the case of VSA 26-25, the subscriber is re-authenticated in the subscriber context.

service-type service-type

(Optional) Value of the Service Type RADIUS attribute [6] that is associated with the test user; either a number in the range 1 through 255 or one of the following strings that corresponds to an RFC-defined service type; the numbers are the values that are carried in the RADIUS attribute to specify the service:

administrative (6)

callback-nas-prompt (9)

authenticate-only (8)

framed (2)

call-check (10)

login (1)

callback-admin (11)

nas-prompt (7)

callback-framed (4)

outbound (5)

callback-login (3)

terminate-code code-value

(Optional) Code associated with the subscriber termination.

Required Privilege Level

view

Output Fields

When you enter this command, you are provided feedback on the status of your request. For information about output fields related to authentication, accounting, and subscriber-specific information, see the show network-access aaa statistics, show network-access aaa statistics authentication, show network-access aaa subscribers, and show subscribers commands.

The test command does not support volume-time accounting. If volume-time accounting is configured for the test subscriber, the test command replaces the statistics with time-only accounting statistics.

This command displays only attributes that are supported by Junos OS; these attributes appear even when their values are not set. The Virtual Router Name (LS:RI) field matches the Juniper Networks Virtual-Router VSA (26-1), if present; otherwise the field displays default:default. The displayed value for all other attributes that are not received is <not set>.

Sample Output

test aaa ppp user

The following example tests the configuration for PPP subscriber user98BEDC and password $ABC123, and displays the resulting output:

content_copy zoom_out_map
user@host> test aaa ppp user user98BEDC@test.net password $ABC123
Authentication Grant
    ************User Attributes***********
         User Name -                              user98BEDC@test.net   
         Client IP Address -                      192.168.1.1       
         Client IP Netmask -                      255.255.0.0  
         Virtual Router Name (LS:RI) -            default:default   
         Agent Remote Id -                        NULL             
         Reply Message -                          NULL
         Primary DNS IP Address -                 0.0.0.0   
         Secondary DNS IP Address -               0.0.0.0   
         Primary WINS IP Address -                0.0.0.0          
         Secondary WINS IP Address -              0.0.0.0          
         Primary DNS IPv6 Address  -              ::
         Secondary DNS IPv6 Address  -            ::
         Framed Pool -                           <not set>         
         Class Attribute -                        TEST            
         Service Type -                           0                
         Client IPv6 Address -                    ::               
         Client IPv6 Mask -                       null             
         Framed IPv6 Prefix -                     ::/0
         Framed IPv6 Pool -                      <not-set>         
         NDRA IPv6 Prefix -                      <not-set          
         Login IPv6 Host -                        ::               
         Framed Interface Id -                    0:0:0:0      
         Delegated IPv6 Prefix -                  ::/0  
         Delegated IPv6 Pool -                   <not-set>         
         User Password -                          $ABC123          
         CHAP Password -                          NULL             
         Mac Address -                            00:00:5E:00:53:ab
         Idle Timeout -                           600             
         Session Timeout -                        6000            
         Service Name (1) -                       cos-service(video_sch, nc_sch)
         Service Statistics (1) -                 1                
         Service Acct Interim (1) -               600              
         Service Activation Type (1) -            1                
         Service Name (2) -                       filter-service(in_filter, out_filter)
         Service Statistics (2) -                 2                
         Service Acct Interim (2) -               900              
         Service Activation Type (2) -            1                
         Cos shaping rate -                       100m             
         Filter Id -                             <not set>         
         Framed MTU -                             (null)           
         Framed Route -                          <not set>         
         Ingress Policy Name -                   <not set>         
         Egress Policy Name -                    <not set>         
         IGMP Enable -                            disabled         
         Redirect VR Name (LS:RI) -               default          
         Service Bundle -                         Null             
         Framed Ip Route Tag -                   <not set>         
         Ignore DF Bit -                          disabled         
         IGMP Access Group Name -                <not set>         
         IGMP Access Source Group Name -         <not set>         
         MLD Access Group Name -                 <not set>         
         MLD Access Source Group Name -          <not set>         
         IGMP Version -                          <not set>         
         MLD Version -                           <not set>         
         IGMP Immediate Leave -                  <not set>       
         MLD Immediate Leave -                   <not set>       
         IPv6 Ingress Policy Name -              <not set>         
         IPv6 Egress Policy Name -               <not set>         
         Dynamic Profile -                       <not set>          
         Acct Session ID -                        1                
         Acct Interim Interval -                  750              
         Acct Type -                              1                
         Chargeable user identity -               0                
         NAS Port Id -                            -0/0/0.0         
         NAS Port -                               4095             
         NAS Port Type -                          15               
         Framed Protocol -                        1                
         IPv4 ADF Rule -                          010100
         IPv4 ADF Rule -                          010101
         IPv6 ADF Rule -                          030100
         IPv6 ADF Rule -                          030101
    ****Pausing 10 seconds before disconnecting the test user*********
    Logging out subscriber
         Terminate Id -                          <not set>         
    Test complete. Exiting

test aaa ppp user (tunneled user)

The following example tests the configuration for PPP tunneled subscriber accounting14, with password $ABC123 and access profile finance-b, and displays the resulting output:

content_copy zoom_out_map
user@host> test aaa ppp user accounting14 password $ABC123 14 profile finance-b
    Authentication Grant with Tunnel Attributes
    ************Tunnel Attributes***********
         ****Tunnel Definiton -                   1
             Tunnel Medium           -            1
             Tunnel Type             -            3
             Tunnel Max Sessions     -            100
             Tunnel Server Endpoint  -            192.0.2.4
             Tunnel Client Endpoint  -            198.51.100.5
             Tunnel Server AuthId    -            rt1
             Tunnel Client AuthId    -            ts1
             Tunnel Password         -            radius
             Tunnel Assignment Id    -            til
             Tunnel Logical System   -
             Tunnel Routing Instance -
    ****Pausing 10 seconds before disconnecting the test user*********
    Logging out subscriber
         Terminate Id -                           l2tp session-receive-cdn-avp-bad-hidden
    Test complete. Exiting

test aaa ppp user (authentication failure)

The following example shows sample output when the authentication grant fails due to an invalid password:

content_copy zoom_out_map
user@host>test aaa ppp user user45@test.net password $ABC123123
 Authentication Deny
    Reason : Access Denied
    Received Attributes :
         User Name -                              user45@test.net 
         Client IP Address -                      0.0.0.0          
         Client IP Netmask -                      0.0.0.0          
         Virtual Router Name (LS:RI)-             default          
         Agent Remote Id -                        NULL             
         Reply Message -                          NULL             
         Primary DNS IP Address -                 0.0.0.0          
         Secondary DNS IP Address -               0.0.0.0          
         Primary WINS IP Address -                0.0.0.0          
         Secondary WINS IP Address -              0.0.0.0          
         Primary DNS IPv6 Address  -              ::               
         Secondary DNS IPv6 Address  -            ::               
         Framed Pool -                            not set          
         Class Attribute -                        not set          
         Service Type -                           0                
         Client IPv6 Address -                    ::               
         Client IPv6 Mask -                       null             
         Framed IPv6 Prefix -                     ::/0             
         Framed IPv6 Pool -                       not-set          
         NDRA IPv6 Prefix -                       not-set          
         Login IPv6 Host -                        ::               
         Framed Interface Id -                    0:0:0:0          
         Delegated IPv6 Prefix -                  ::/0             
         Delegated IPv6 Pool -                    not-set          
         User Password -                          $ABC123123       
         CHAP Password -                          NULL             
         Mac Address -                            00:00:5E:00:53:ab
         Filter Id -                              not set          
         Framed MTU -                             (null)           
         Framed Route -                           not set          
         Ingress Policy Name -                    not set          
         Egress Policy Name -                     not set          
         IGMP Enable-                             disabled         
         Redirect VR Name (LS:RI)-                default          
         Service Bundle -                         Null             
         Framed Ip Route Tag -                    not set          
         Ignore DF Bit -                          disabled         
         IGMP Access Group Name -                 not set          
         IGMP Access Source Group Name -          not set          
         MLD Access Group Name -                  not set          
         MLD Access Source Group Name -           not set          
         IGMP Version -                           not set          
         MLD Version -                            not set          
         IGMP Immediate Leave -                   not set         
         MLD Immediate Leave -                    not set         
         IPv6 Ingress Policy Name -               not set          
         IPv6 Egress Policy Name -                not set          
         Acct Session ID -                        12               
         Acct Interim Interval -                  0                
         Acct Type -                              0                         Chargeable user identity -               0                
         NAS Port Id -                            -0/0/0.0         
         NAS Port -                               4095             
         NAS Port Type -                          15               
         Framed Protocol -                        0                
    Test complete. Exiting

test aaa ppp user (XML Output, Old Format)

The following example shows an excerpt of sample XML output in the old format:

content_copy zoom_out_map
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml

<rpc-reply xmlns:junos=“namespace-URL”
    <aaa-test-result>
        <aaa-test-status>Authentication Grant</aaa-test-status>
        <aaa-test-status>************User Attributes***********</aaa-test-status>
        <radius-server-attribute-name>User Name -</radius-server-attribute-name>
        <radius-server-attribute-value>user45@test.net</radius-server-attribute-value>
        <radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name>
        <radius-server-attribute-value>default:default</radius-server-attribute-value>
        <radius-server-attribute-name>Service Type -</radius-server-attribute-name>
        <radius-server-attribute-value>Framed</radius-server-attribute-value>
        <radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name>
        <radius-server-attribute-value>&lt;not set&gt;</radius-server-attribute-value>
...
  <aaa-test-status>Test complete. Exiting</aaa-test-status>
    </aaa-test-result>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>

test aaa ppp user (XML Output, New Format)

The following example shows an excerpt of sample XML output in the new format:

content_copy zoom_out_map
user@host>test aaa ppp user user45@test.net password $ABC123 | display xml

<rpc-reply xmlns:junos="namespace-URL">
    <aaa-test-result>
        <aaa-test-status>Authentication Grant</aaa-test-status>
        <aaa-test-status>************User Attributes***********</aaa-test-status>
        <radius-server-data>
            <radius-server-attribute-name>User Name -</radius-server-attribute-name>
            <radius-server-attribute-value>user45@test.net</radius-server-attribute-value>
        </radius-server-data>
        <radius-server-data>
            <radius-server-attribute-name>Virtual Router Name (LS:RI) -</radius-server-attribute-name>
            <radius-server-attribute-value>default:default</radius-server-attribute-value>
        </radius-server-data>
        <radius-server-data>
            <radius-server-attribute-name>Service Type -</radius-server-attribute-name>
            <radius-server-attribute-value>Framed</radius-server-attribute-value>
        </radius-server-data>
        <radius-server-data>
            <radius-server-attribute-name>Agent Remote Id -</radius-server-attribute-name>
            <radius-server-attribute-value>&lt;not set&gt;</radius-server-attribute-value>
        </radius-server-data>
...
        <aaa-test-status>Test complete. Exiting</aaa-test-status>
    </aaa-test-result>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>

Release Information

Command introduced in Junos OS Release 11.2.

Option terminate-code added in Junos OS Release 11.4.

Option agent-remote-id added in Junos OS Release 14.1.

Options no-address-request and service-type added in Junos OS Release 16.1.

Related Documentation

arrow_backward PREVIOUS test aaa dhcp user
NEXT arrow_forward test access profile
external-footer-nav